At Least 5 Million Endpoints on the Internet Are Speaking RDP, Says Researcher

According to data collected by security researcher Dan Kaminsky, the recently disclosed RDP vulnerability in Windows has a potential attack surface equal to millions of systems. Interestingly, this data is based on scans to less than 10-percent of the Internet.

“There’s a very good chance that your network is exposing some RDP surface,” Kaminsky wrote in a blog post.

“If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible.”

Earlier this week, Microsoft issued a patch for a vulnerability in the Remote Desktop Protocol (RDP) and urged systems administrators to apply it as soon as possible. Industry experts issued similar statements, mirroring each other’s thoughts and promoting a ‘patch now’ stance.

One of the reasons for the urgency is that the patched flaw, if exploited in a wide scale, could lead to the creation of a nasty Worm. Nothing on the scale of Conficker to be sure, but it would be a nightmare to deal with nevertheless.

In fact, the day the patch was released from Redmond, many speculated that working proof-of-concept code targeting the flaw would appear before the month was out. As it turns out, they were correct.

On Friday, most of the Web was discussing the RDP flaw and the discovery that the code sent to ZDI by researcher Luigi Auriemma, had been published to a Chinese file hosting service. Given the nature of the code, and the fact it used the same special packet to exploit RDP that Auriemma used in his report to ZDI, Microsoft was blamed for the leak.

The leak, it’s alleged, came from Microsoft’s Active Protections Program (MAPP), which shared vulnerability information and research for this month’s fixes with other security vendors. It’s said that the code exploiting the RDP flaw could have leaked from a MAPP partner or a Microsoft employee. To be clear, this is speculation, and there is no solid evidence one way or another, but it’s worth mentioning given that a working exploit is in the wild.

Yunsun Wee, director of Trustworthy Computing for Microsoft, said in a statement that the software giant is investigating the incident.

"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," Wee said. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

The update, MS12-020, was the only critical patch released this month by Microsoft. While most systems have RDP disabled by default, the critical rating is due to the fact that many businesses rely on the feature for normal IT operations.

Again, the fear is that an attack against the flaw would be Worm related, such as one that targeted RDP last fall. Kaspersky Labs was the first vendor to stress the need to apply MS12-020, reminding organizations of the Morto Worm, which worked by brute forcing Administrator account passwords using a list of common passwords.

Systems that were not restricting RDP access via VPN or used a weak password were at risk then, but now, the addition of remote code execution against RDP “is pretty much as bad as it gets,” McAfee’s Dace Marcus said.

For his research, Kaminsky said that he scanned 300 million IP addresses, of which approximately 415,000 endpoints showed evidence of RDP. Extrapolated against the full 3.75 Billion IPs, about 5.1M IPs would show evidence of RDP.

“Now, some subset of these endpoints are patched, and some (very small) subset of these endpoints aren’t actually the Microsoft Terminal Services code at all. But it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” he noted.

“Not all bugs are equally dangerous because not all code is equally deployed. Some flaws are simply more accessible than others, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.”

Invincea’s Anup Ghosh, commenting on Kaminsky’s post, recommended that administrators block in-bound RDP to desktops at the firewall, while allowing only essential access on a case-by-case basis restricted by IP. In addition, if not needed at all, then RDP should be turned off. No matter what, the patch should be applied.

SecurityWeek reached out to Kaminsky to see if his research has expanded on the initial findings. We’ll update when we have more information.

Correction: 03/18/12 6:55PM ET - Correction on number of IPs that showed direct evidence of RDP.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.